search

OpenChain-Project / Security-Assurance-Specification

Other
21 stars 7 forks source link

[Improvement] Align "Terms and Definitions" in Section 2 with Licensing Spec 3.0 #30

Closed shanecoughlan closed 1 year ago

shanecoughlan commented 1 year ago

We changed some stuff in the licensing spec on the last call:

Improved Terms and Definitions as per OpenChain Monthly North America and Europe Call - 2023-06-06:

Added some words on our side: https://github.com/OpenChain-Project/License-Compliance-Specification/commit/78ba24492cdcfaf65a32c3de9f95044dabdafa9c

Updated Terms and Definitions with key words as per https://www.ietf.org/rfc/rfc2119.txt: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/67

shanecoughlan commented 1 year ago

Change would be from:

2: Terms, Definitions and Examples

For the purposes of this document, the following terms and definitions apply.

To

2 - Terms and definitions

For the purposes of this document, the following terms and definitions apply. These terms and definitions only apply to this specific version of the specification.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as:

MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

MUST NOT This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

MAY This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

These definitions are originally from IETF RFC 2119: https://www.ietf.org/rfc/rfc2119.txt

shanecoughlan commented 1 year ago

I am going to update the security spec with the current language as per call of 2023-06-20, however I am keeping this issue open for improvement to clarity suggestion at the beginning by Singing and potential flag to check for ISO vs IETF language conflicts by Ninjouji San.

Here are the ISO definitions to review: https://www.iso.org/foreword-supplementary-information.html

Please note the IETF definitions were proposed and applied via the following issue on the compliance spec: https://github.com/OpenChain-Project/License-Compliance-Specification/issues/67

snoopy60313 commented 1 year ago

I would like to give a suggestion for the format. We add quotation marks for MUST, SHOULD NOT, and MAY (the first letter of each paragraph) corresponding to "REQUIRED", "SHALL", "SHALL NOT", "NOT RECOMMENDED" and "OPTIONAL". Adding quotation marks will make the format more alignment for the reader.

shanecoughlan commented 1 year ago

Singing's comments included on quotation marks, and Helio also caught that "NOT RECOMMENDED" was missing from the keywords but used in the full text. Fixed both for us, and will submit back to IETF. Alignment agreed between licensing and security spec.

== Fix below ==

For the purposes of this document, the following terms and definitions apply. These terms and definitions only apply to this specific version of the specification.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as:

"MUST" This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

"MUST NOT" This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

"SHOULD" This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

"SHOULD NOT" This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

"MAY" This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

These definitions are originally from IETF RFC 2119: https://www.ietf.org/rfc/rfc2119.txt

shanecoughlan commented 1 year ago

We also reviewed ISO vs IETF language potential conflicts flagged as TODO item by Ninjouji San.

Here are the ISO definitions to review: https://www.iso.org/foreword-supplementary-information.html

No conflicts found.

We are done with this ticket, and will update both specs, with one proviso to add a final line:

== Final Language ==

For the purposes of this document, the following terms and definitions apply. These terms and definitions only apply to this specific version of the specification.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as:

"MUST" This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

"MUST NOT" This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

"SHOULD" This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

"SHOULD NOT" This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

"MAY" This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

These definitions are originally from IETF RFC 2119: https://www.ietf.org/rfc/rfc2119.txt We reviewed the ISO definitions to confirm no conflict: https://www.iso.org/foreword-supplementary-information.html

shanecoughlan commented 1 year ago

This is a background information note rather than a request for reedit. Chris Wood from Lockheed Martin flagged.

==

Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words

Abstract

RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Status of This Memo

This memo documents an Internet Best Current Practice.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8174.

Leiba Best Current Practice [Page 1]

RFC 8174 RFC 2119 Clarification May 2017

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Clarifying Capitalization of Key Words . . . . . . . . . . . 3 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. Normative References . . . . . . . . . . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4

1. Introduction

RFC 2119 specifies common key words, such as "MUST", "SHOULD", and "MAY", that may be used in protocol specifications. It says that the key words "are often capitalized," which has caused confusion about how to interpret non-capitalized words such as "must" and "should".

This document updates RFC 2119 by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document is part of BCP 14.

== Actual document ==

Here: https://www.rfc-editor.org/rfc/rfc2119

== Contents ==

Key words for use in RFCs to Indicate Requirement Levels

Status of this Memo

This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.

Abstract

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
  NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
  "OPTIONAL" in this document are to be interpreted as described in
  [RFC 2119](https://www.rfc-editor.org/rfc/rfc2119).

Note that the force of these words is modified by the requirement level of the document in which they are used.

1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

2. MUST NOT This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

5. MAY This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

6. Guidance in the use of these Imperatives

Imperatives of the type defined in this memo must be used with care and sparingly. In particular, they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmisssions) For example, they must not be used to try to impose a particular method on implementors where the method is not required for interoperability.

7. Security Considerations

These terms are frequently used to specify behavior with security implications. The effects on security of not implementing a MUST or SHOULD, or doing something the specification says MUST NOT or SHOULD NOT be done may be very subtle. Document authors should take the time to elaborate the security implications of not following recommendations or requirements as most implementors will not have had the benefit of the experience and discussion that produced the specification.

8. Acknowledgments

The definitions of these terms are an amalgam of definitions taken from a number of RFCs. In addition, suggestions have been incorporated from a number of people including Robert Ullmann, Thomas Narten, Neal McBurnett, and Robert Elz.